True, although if someone was stupid enough to do such a thing, because people are dumb, me included, tracking the device should have been easy.

Yep, and I understand why they turned around, but it shouldn't have been hard to determine the root cause of the issue.

Do I think planes should have radio sniffing equipment? Yes, absolutely. The idiotic name of the speaker, and the passenger dumb enough to take it on board, are guilty, that's without argument. However, that being true, it's not difficult to figure out what's broadcasting, and all the annoyance could have been avoided, and that's really a bigger issue.

If you can't, fair enough, I didn't know that.

The name is irrelevant, granted, no one should call a BT device "BOMB" on an airplane. You can capture the packets, and determine what the device is, which would quickly resolve the concern. The real issue, as I see it, why didn't they do that before overreacting? They could have determined the BT device, found where it is, and determined why it was called "BOMB", then deal with it.

In 2026, are planes not equipped to determine wireless devices? It would seem nearly essential to capture the air traffic in the plane, if an accident was to happen, shouldn't you know what was going on in terms of possible radio frequency interference?

I frequently get emails from Microsoft that I refuse to interact with, simply because they look like they're from a scammer. I've had our CSM call me, and ask why I didn't accept the link in an email from Microsoft. When I showed him the email, he rolled his eyes, agreed it look insane, and didn't blame me for ignoring it. He reset the email to me on that call, and it looked just as scammy and scummy as the original. I had him include a security researcher from Azure on the call, who assured me up and down the email was legit, and still opened it in a VM.

Since Microsoft sends junk emails, attackers know they can just follow the Microsoft playbook. Whose going to question an email from someone impersonating Microsoft, when Microsoft does a terrible job impersonating Microsoft? Every single cybersecurity 101 style course, from the most lacklustre, quick generated, reused, out of date training module, will tell you to never click anything in an email Microsoft would send you?

Email is a terrible method of communication without leveraging PGP, or another verification protocol.

Fair enough :)

I don't think we're going to agree, which is fine. I just can't stand useless data hoarding. When I was saying junk, I mean useless emails, I gave some examples in another response, and I've been told by lawyers to stop collecting junk. If your company has a policy to keep everything, fine, but, to me, that wasteful and lazy.

I really don't think it takes that much effort to determine useful from useless, an email to change core spec's from a system, useful. An email informing me you're going to email me later, useless.

How hard would it really be to allow Plasma, Gnome, XFCE, Budgie, or other desktops to run on top of Windows? With all of Microsoft's resources, and engineering skill, including unlimited capital, why not just allow the user to pick the desktop that fits their needs and use cases? Give the user a choice between KDE or DWM (I think that's what the Windows desktop is called), and watch the usability skyrocket.

There probably or almost certainly would be some licensing complexity / issues to work out, but that is legals job. If Microsoft wants to support users, support them, and let them pick how they want their system to be used, and interfaced with. One thing is certain, Microsoft is terrible at deciding for the user.

That's hilarious, I still have the IIS vs Apache (or Nginx, lightHTTP, etc...) discussion with people. To be fair, I don't know if there is a use case where IIS is the best solution, there could be, but in at least 15-years, I haven't run into it, or heard about it.

Certainly suitable, just why GitHub? Maybe GitHub has a government offering, I don't know, but it sounds weird to me to use GitHub for a government security contractor.

The alarming issue is how common it is for secrets to be leaked. This isn't a one-off, it's constant, and with the advent of tools and platforms to prevent it, it's shocking how common it is. Why hard-code any secret? Proton Pass CLI is a great tool for storing secrets, and recalling them at run time only when needed. If you don't want to use Proton Pass, fair enough, many tools exist to provide the abstracted security.

Another disturbing point, why was GitHub being used? Standing up a Git server is easy, and I would call into the question the skills and competence of any security or IT contractor that couldn't or wouldn't. They mention synchronizing between computers, which is fair, but use a private self-hosted Git solution, that it locked down and IP / Geo Restricted, with logging and audit trails.

This also bring into question the competence level of the contractor, do they not force people to take cybersecurity training? I would be calling up their latest test results and taking a careful look because either they didn't take any, which is a major flashing red alert, or they cheated and didn't actually get anything from it, or, they ignored the training, which is severe.

Is firing the right move? Maybe legal action? Perhaps just education? I don't know what the "fix" is for this issue, but it's becoming far too common, and that's a bigger issue. With the advent of LLM's you can ask the LLM to find all security credential leaks, and you should.

The core troublemakers I'm thinking of were using Outlook with PST files, which gave me PTSD (not really). I've seen it with many email system, not just Outlook / Exchange, I have a few Zimbra horror stories. You're making the same argument I'm making, where most of the emails are effectively junk. Email should be plain text, but most email clients enable HTML formatting which makes everything a mess, and really you should only be using plain text with no encoding.

That's an email I got last week, on Friday, what value does it have? The lady emailed me back to alert me I'm going to get another email, which is fine she's informing me she got the information, and to wait. The email was deleted, since it serves no purpose outside of her confirming she got my information, which is information that would be covered by PIPEDA (which would be the Canadian HIPAA equivalent).

You brought up something else, those stupid chains where 100 people reply, and you have all the nonsense threads in the email. Why keep that nonsense? I know people who will get furious if you remove it. What value does it hold? None! There is no value to it, just remove it from every email, you already have the previous discourse, it's all preserved.

On a final note, I have dealt with company lawyers, and lawyers in general, they don't want you to keep insane email caches. They only want you to save legally relevant or at least legally questionable information. If you give a lawyer 100 GB of email to sort through, you're going to have it thrown back at you, with a demand to prune it. My old boss, the 100 GB email guy, use to include the company lawyer on every email in the CC header. The number of times as a % he said back in a paraphrased form: "Not legally relevant", was hilarious, over 95% of the time. At another company, the lawyer had the same problem, people would CC her, and she kept insisting it was pointless, since the vast majority of communication had no legal value. She stored her email in a Vera Crypt volume, that she had to open every morning, and lock every evening. She's the one who told me to PGP sign every email if it was legally relevant, so It has a chain of ownership.

I said junk emails, I didn't say legally relevant discourse, I even made that distinction. Of course, there are things you should keep, but not everything. I will never keep an email where someone is alerting me they'll email me later, I'll just wait for that later email. I will never keep an email where someone is asking me to upload stuff to their site, once I upload whatever, they confirm, I delete the email. There's no the value to the email once the upload is done, the system will have the full audit log, which is much more legally relevant.

If you need to keep an email for legal reasons, make sure the person in question is signing / encrypting it with PGP, and make sure your keyring is in good standing. If they don't sign the email, you can't demonstrate they sent it, at best you can assume with a huge margin of risk and error. Even then, you're still not at 100% of emails being legally relevant, you might be at 1%, maybe 5%.

I'll agree to your points.